Mitigating SMS API Abuse with Captcha, Signatures, and Third‑Party Verification

Recently the SMS interface used for registration was maliciously scraped, causing a loss of over a thousand yuan; the initial instinct to limit by phone number and IP proved ineffective because phone numbers can be easily spoofed and attackers use high‑anonymity proxy IPs that are dynamic and untraceable.

Countermeasures:

1. Add a captcha. The captcha must be verified on the server side; it can be a traditional character string or a simple arithmetic expression (e.g., “1 + 3 = ?”). The backend generates the captcha and sends it to the front end, and the user must pass the verification before the SMS API can be called. Transmission can be plain text encrypted, or the backend can return an SVG or image. Captchas should be single‑use and become invalid after successful verification.

2. Add a request signature, for example by concatenating parameters such as phone=...&expire=...&key=... and encrypting them with a secret key that the server controls and rotates regularly. The server validates the signature on each request.

3. Integrate a professional third‑party verification service such as Geetest. The free tier injects ads and limits request volume, while the paid tier requires business contact. Although captchas can affect user experience, Geetest offers a relatively smooth solution, though it currently lacks an official React‑Native package.

Captchas are not absolutely secure; they merely raise the barrier, and attackers continuously adapt, making security a continual arms race.

These are the main ideas the author has considered so far.